Dynamic Analysis of Usage Control Policies

Yehia Elrakaiby, Jun Pang

Abstract

Usage control extends access control by enabling the specification of requirements that should be satisfied before, while and after access. To ensure that the deployment of usage control policies in target domains achieves the required security goals, policy verification and analysis tools are needed. In this paper, we present an approach for the dynamic analysis of usage control policies using formal descriptions of target domains and their usage control policies. Our approach provides usage control management explicit labeled transition system semantics and enables the automated verification of usage control policies using model checking.

References

  1. Ardagna, C. A., Cremonini, M., De Capitani di Vimercati, S., and Samarati, P. (2008). A privacy-aware access control system. JCS, 16(4):369-397.
  2. Armando, A., Giunchiglia, E., Maratea, M., and Ponta, S. E. (2012). An action-based approach to the formal specification and automatic analysis of business processes under authorization constraints. Journal of Computer and System Sciences, 78(1):119-141.
  3. Armando, A., Giunchiglia, E., and Ponta, S. E. (2009). Formal specification and automatic analysis of business processes under authorization constraints: An actionbased approach. In TrustBus, volume 5695 of LNCS, pages 63-72. Springer.
  4. Artikis, A. and Sergot, M. (2010). Executable specification of open multi-agent systems. Logic Journal of IGPL, 18(1):31-65.
  5. Artikis, A., Sergot, M. J., and Pitt, J. (2007). An executable specification of a formal argumentation protocol. Artificial Intelligence, 171(10-15):776 - 804.
  6. Babb, J. and Lee, J. (2013). Cplus2asp: Computing action language c+ in answer set programming. Logic Programming and Nonmonotonic Reasoning, page 122.
  7. Becker, M. Y. and Nanz, S. (2007). A logic for statemodifying authorization policies. In ESORICS, volume 4734 of LNCS, pages 203-218. Springer.
  8. Bouali, A., Gnesi, S., and Larosa, S. (1994). The integration project for the JACK environement. Bulletin of the EATCS, 54:207-223.
  9. Casolary, M. (2011). Representing the language of the causal calculator in answer set programming. PhD thesis, Arizona State University.
  10. Craven, R., Lobo, J., Ma, J., Russo, A., Lupu, E., and Bandara, A. (2009). Expressive policy analysis with enhanced system dynamicity. In ASIACCS, pages 239- 250. ACM.
  11. Craven, R. and Sergot, M. (2005). Distant causation in C+. Studia Logica, 79(1):73-96.
  12. Dworschak, S., Grell, S., Nikiforova, V., Schaub, T., and Selbig, J. (2008). Modeling biological networks by action languages via answer set programming. Constraints, 13(1-2):21-65.
  13. Elrakaiby, Y., Cuppens, F., and Cuppens-Boulahia, N. (2012). Formal enforcement and management of obligation policies. DKE, 71(1):127 - 147.
  14. Ferraiolo, D., Cugini, J., and Kuhn, D. R. (1995). Rolebased access control (rbac): Features and motivations. In ACSAC, pages 241-48. ACM.
  15. Gebser, M., Grote, T., and Schaub, T. (2010). Coala: a compiler from action languages to ASP. In Logics in Artificial Intelligence, pages 360-364. Springer.
  16. Gelfond, M. and Lifschitz, V. (1998). Action languages. Electronic Transactions on AI, 3(16).
  17. Giunchiglia, E., Lee, J., Lifschitz, V., McCain, N., Turner, H., and Lifschitz, J. L. V. (2004). Nonmonotonic causal theories. Artificial Intelligence, 153:49-104.
  18. Hilty, M., Pretschner, A., Basin, D., Schaefer, C., and Walter, T. (2007). A policy language for distributed usage control. In ESORICS, volume 4734 of LNCS, pages 531-546. Springer.
  19. Irwin, K., Yu, T., and Winsborough, W. H. (2006). On the modeling and analysis of obligations. In CCS, pages 134-143. ACM.
  20. Li, N., Chen, H., and Bertino, E. (2012). On practical specification and enforcement of obligations. In Proceedings of the Second ACM Conference on Data and Application Security and Privacy, CODASPY 7812, pages 71-82, New York, NY, USA. ACM.
  21. Li, N. and Tripunitara, M. V. (2006). Security analysis in role-based access control. TISSEC, 9(4):391-420.
  22. Lifschitz, V. (1999). Action languages, answer sets, and planning. In The Logic Programming Paradigm, pages 357-373. Springer.
  23. Lupu, E. C. and Sloman, M. (1999). Conflicts in policy-based distributed systems management. TSE, 25(6):852-869.
  24. Pretschner, A., Ruesch, J., Schaefer, C., and Walter, T. (2009). Formal analyses of usage control policies. In ARES, pages 98-105. IEEE.
  25. Ranise, S. and Armando, A. (2012). On the automated analysis of safety in usage control: a new decidability result. In NSS'12, pages 15-28, Berlin, Heidelberg. Springer-Verlag.
  26. Samarati, P. and de Vimercati, S. C. (2001). Access control: Policies, models, and mechanisms. In Foundations of Security Analysis and Design, pages 137-196. Springer.
  27. Sandhu, R., Coyne, E. J., Feinstein, H. L., and Youman, C. E. (1996). Role-based access control models. Computer, 29(2):38-47.
  28. Sandhu, R. and Park, J. (2004). The UCON ABC usage control model. TISSEC, 7(1):128-174.
  29. Sergot, M. (2004). An action language for modelling norms and institutions. Technical Report 2004/8, Imperial College London.
  30. Shanahan, M. (1999). The event calculus explained. In Artificial Intelligence Today, pages 409-430. Springer.
  31. Simon, R. T. and Zurko, M. E. (1997). Separation of duty in role-based environments. In Proceedings of the 10th Computer Security Foundations Workshop, pages 183-194. IEEE.
  32. Son, T. C., Pontelli, E., and Sakama, C. (2012). Formalizing commitments using action languages. In Proceedings of the 9th Conference on Declarative Agent Languages and Technologies, volume 7169 of LNCS, pages 67-83. Springer.
  33. Zhang, X., Parisi-Presicce, F., Sandhu, R., and Park, J. (2005). Formal model and policy specification of usage control. TISSEC, 8(4):351-387.
  34. Zhang, X., Sandhu, R., and Parisi-Presicce, F. (2006). Safety analysis of usage control authorization models. In ASIACCS, pages 243-254. ACM.
Download


Paper Citation


in Harvard Style

Elrakaiby Y. and Pang J. (2014). Dynamic Analysis of Usage Control Policies . In Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014) ISBN 978-989-758-045-1, pages 88-100. DOI: 10.5220/0005046600880100


in Bibtex Style

@conference{secrypt14,
author={Yehia Elrakaiby and Jun Pang},
title={Dynamic Analysis of Usage Control Policies},
booktitle={Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)},
year={2014},
pages={88-100},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005046600880100},
isbn={978-989-758-045-1},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 11th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2014)
TI - Dynamic Analysis of Usage Control Policies
SN - 978-989-758-045-1
AU - Elrakaiby Y.
AU - Pang J.
PY - 2014
SP - 88
EP - 100
DO - 10.5220/0005046600880100